Damn Vulnerable Web App : Learn & Test Web Security.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be light weight, easy to use and full of vulnerabilities to exploit, aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

List of vulnerabilities:
    * SQL Injection
    * XSS (Cross Site Scripting)
    * LFI (Local File Inclusion)
    * RFI (Remote File Inclusion)
    * Command Execution
    * Upload Script
    * Login Brute Force


DVWA 1.0.7 LiveCD specs:
Ubuntu Server 10.04 minimal
XAMPP Linux 1.7.3a (Apache 2.2.14, MySQL 5.1.41, PHP 5.3.1)
WebDav
Fluxbox (optional)
Firefox 3.6.8
Firefox addons include XSS Me, SQL Inject Me, Access Me, Tamper Data, REST Client, HackBar, ShowIP, Useragent Switcher, Firebug, NoScript and more.

What’s new in 1.0.7?
The help page has been improved.
Display the logged on username along with the vulnerability level and php-ids status.
Blind SQL injection has been implemented.
Official documentation.
You can now compare all vulnerable source code in one page with the ‘view all’ button.
The whole theme has been redesigned, including a new great looking logo.
Many bug fixes and small changes throughout the application.

Download link :

Reference: http://www.dvwa.co.uk/blog/